romfast/echo-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): restore /echo prefix after proxy strips it from next param

Browse Source 
The reverse proxy strips /echo/ before Python, so next=/workspace.html.
Both the JS redirect and the server-side already-logged-in path now
prepend /echo to produce a valid public URL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marius Mutu
2026-04-29 14:11:22 +00:00
parent 38259f3cfd
commit 77df09974c
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dashboard/login.html
View File

@@ -257,8 +257,11 @@
// relative /echo/ path to prevent open-redirect attacks.
var params = new URLSearchParams(window.location.search);
var next = params.get('next') || '';
var dest = (next && /^\/echo\/[^/]/.test(next) && next.indexOf('/echo/login') !== 0)
? next
// The proxy strips /echo/ before Python, so `next` is
// e.g. "/workspace.html". Re-add the /echo prefix for
// the browser. Guard against open-redirect (no ://).
var dest = (next && /^\/[^/]/.test(next) && next.indexOf('://') === -1)
? '/echo' + next
: '/echo/workspace.html';
window.location.assign(dest);
return;